Threat Watch

Slowing of Qakbot Campaigns Indicates Possible Hiatus Approaching

Over the last two days, Binary Defense has observed a reduction of Qakbot malware distribution campaigns. Typically, Qakbot releases a new botgroup each day, incrementing the botgroup counter by one for each new botgroup released. This has been a continuous trend since early April. However, recently Qakbot has been indicating the possibility of a hiatus, evident in part by the lack of new botgroup campaigns on both Wednesday and Thursday. This may be a sign that Durak Group is slowing down botnet operations in preparation for a break.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

If Durak Group does decide to go on break, this is the perfect time to block all of the current Command and Control (C2) IP addresses, along with cleaning of possibly infected devices. Infected devices can be identified by regular network communication with the C2 servers or by host-based indicators of compromise. All the most recent Qakbot C2 server IP addresses can be found in the Binary Defense pulses on Open Threat Exchange (https://otx.alienvault.com/user/BinaryDefense/pulses) The break might not last very long, so Binary Defense recommends taking remediation actions sooner rather than later.

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support